cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User54256085
Level 7
Report Inappropriate Content
Message 1 of 6
‎10-09-2019 10:16 PM

How to block the Hashes in epo server.

Jump to solution
We have received the blocked hashes and how to blocked it on EPO.
0 Kudos
Reply
2 Solutions

Accepted Solutions
Thussain
Employee
Employee
Report Inappropriate Content
Message 3 of 6
‎10-09-2019 11:31 PM

Re: How to block the Hashes in epo server.

Jump to solution

Thank you for posting your query 

Are these hashes for executable files?

If yes, you may use Access protection rules to configure blocking of files based on hash value

In ePO, go to policy catalog, select Access protection rules 

Under the Rules Section click ADD and type the details and provide the hash value

Then add the subrule as shown below

Hash Based Exclusions.PNGhash Based Exclusions_Subrule.PNG

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 4 of 6
‎10-09-2019 11:59 PM

Re: How to block the Hashes in epo server.

Jump to solution

Hi @User54256085 

Thank you for your post!

I would like to confirm my understanding. You have received a list of hashes that are meant to be blocked. You are trying to implement the block operation using ePO.

Since you have posted the query in ePO forum, I am unable to capture the product in question. We can block hashes using Access protection feature which is available in ENS (Endpoint Security). We have other technologies that can be used as well if you have a TIE configured and if ATP is being used.

But, I would like to start from scratch to understand the requirement here. First, are these hash values taken off from malicious files? If yes, then first step here is to open a Service request with us and confirm if McAfee has coverage for these hashes or not.

If the answer is no for one or more hashes, Now you can think about the product and components to be used to block these hashes. If you are using ENS, you can follow the above suggestions and it should work like a charm. Please remember Access protection is a bit tricky and blocking "files" and "executables/processes" are 2 completely different things we deal with. I have explained it previously in this post if you would like to known in detail.

Please remember blocking using hash is not possible using VSE (VirusScan Enteprise) Access Protection. ENS allows use of MD5 hashes ONLY.

I sincerely hope this is helpful in reaching a solution for you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

0 Kudos
Reply
5 Replies
LKS
Employee
Employee
Report Inappropriate Content
Message 2 of 6
‎10-09-2019 11:21 PM

Re: How to block the Hashes in epo server.

Jump to solution

Hi User54256085,

Are you trying to block execution of an MD5 hash executable?  If so, create an Access Protection rule, and in the Subrule, use the PROCESSES engine and the RUN operation, then specify the Executable by MD5 hash only.

 
0 Kudos
Reply
Thussain
Employee
Employee
Report Inappropriate Content
Message 3 of 6
‎10-09-2019 11:31 PM

Re: How to block the Hashes in epo server.

Jump to solution

Thank you for posting your query 

Are these hashes for executable files?

If yes, you may use Access protection rules to configure blocking of files based on hash value

In ePO, go to policy catalog, select Access protection rules 

Under the Rules Section click ADD and type the details and provide the hash value

Then add the subrule as shown below

Hash Based Exclusions.PNGhash Based Exclusions_Subrule.PNG

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 4 of 6
‎10-09-2019 11:59 PM

Re: How to block the Hashes in epo server.

Jump to solution

Hi @User54256085 

Thank you for your post!

I would like to confirm my understanding. You have received a list of hashes that are meant to be blocked. You are trying to implement the block operation using ePO.

Since you have posted the query in ePO forum, I am unable to capture the product in question. We can block hashes using Access protection feature which is available in ENS (Endpoint Security). We have other technologies that can be used as well if you have a TIE configured and if ATP is being used.

But, I would like to start from scratch to understand the requirement here. First, are these hash values taken off from malicious files? If yes, then first step here is to open a Service request with us and confirm if McAfee has coverage for these hashes or not.

If the answer is no for one or more hashes, Now you can think about the product and components to be used to block these hashes. If you are using ENS, you can follow the above suggestions and it should work like a charm. Please remember Access protection is a bit tricky and blocking "files" and "executables/processes" are 2 completely different things we deal with. I have explained it previously in this post if you would like to known in detail.

Please remember blocking using hash is not possible using VSE (VirusScan Enteprise) Access Protection. ENS allows use of MD5 hashes ONLY.

I sincerely hope this is helpful in reaching a solution for you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 5 of 6
‎10-10-2019 05:02 AM

Re: How to block the Hashes in epo server.

Jump to solution

I am also going to move this thread to the ens team.  It also depends on the products you are using.  If using TIE and Active Response, there is a better chance of doing that based on your hashes.  But it can also be done through ENS.  They can provide better guidance.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Arin
Level 7
Report Inappropriate Content
Message 6 of 6
‎03-26-2023 11:05 PM

Re: How to block the Hashes in epo server.

Jump to solution

how to block the hash file in TIE?

do you have any kb that we can refer?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC